View Only
last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

OnGuard Physical / Virtual IP

This thread has been viewed 10 times
  • 1.  OnGuard Physical / Virtual IP

    Posted Nov 03, 2022 08:01 AM
    Hi All,

    Somewhere in the past I saw a line stating that OnGuard persistent agent needs to communicate only by physical IP against ClearPass server. But, I forgot where it is, I tried searching at ClearPass OnGuard Troubleshooting page and OnGuard In A Cluster Tech Notes, couldn't get any luck.

    I have a case where we are doing migration of clearpass hardware. In the OnGuard settings > Policy Manager Zones we have an overriding FQDN which basically resolves to VIP. This VIP is configured in ClearPass's Virtual IP Setting under the Server Manager > Server Configuration.

    Prior to migration, this VIP is in front of IP A and IP B, after migration to IP C and IP D (all respectively a.k.a. in order).
    Some clients 'gets affected' after migration where at the Health Log we see the ClearPass IP reachable is IP B (which indeed was not there anymore and already 'replaced' by the IP D. We checked the agent.conf file, there is no IP B there (since it's already after migration, no more IP A and IP B).

    Straight to the question, does the OnGuard have some cache so it somehow still remembers there is this IP B.

    And, after all, is using a VIP as the OnGuard IP a recommendation by Aruba ?

    Thanks all.

  • 2.  RE: OnGuard Physical / Virtual IP

    Posted Nov 09, 2022 03:14 AM
    These are quite detailed questions, that I don't know the answer to. If there is no answer here, please try opening a TAC support call to get an explanation for what you see and answers to these two questions. Alternatively, you could ask this question through your local Aruba SE. And please share here if you know the answers.

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.